editor-layer-index at npm was taken down, claimed to be containing malware, npm audit gives scary warning on install #10772
Comments
matkoniecz
changed the title
|
I don't think osmlab/editor-layer-index ever published to the npmjs.com registry. I think what happened is someone else published malware into the untaken namespace to try and catch unsuspecting developers trying to npm install from the registry instead of directly from github.com/osmlab/editor-layer-index. Then the npmjs team took over the package. IT looks like a bug in npm audit, if we never request a package from npmjs.com within package.json, why is it reporting security issues relating to it. |
|
Oh, this is really unfortunate. Does anyone have experience with such situations? Could it be worth trying to contact npm's support (perhaps via https://support.github.com/contact/npm-name-disputes maybe??) to get this transferred? Alternatively, we'd have to either live with the false positive produced by |
I can try - if you think it is a good idea, can you post that here so I will have evidence that my request is coming from the project, not another hijacker? |
|
It's probably more effective if I try, as I'm already member of all relevant npm and github organizations/repos. Or do you prefer to take care of this @andrewharvey? |
Nope all yours @tyrasd, agreed probably more effective coming through you. |
As I understand: at some point https://www.npmjs.com/package/editor-layer-index was taken down. Maybe it actually had malware.
https://github.com/openstreetmap/iD/blob/develop/package.json#L101C28-L101C69 points not to NPM but to github
but npm audit does npm audit things and emits scary warning linking GHSA-jq9w-gjvg-mxr8
Is it avoidable somehow? It is definitely scary for new contributors
The text was updated successfully, but these errors were encountered: